b'TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION\n\n\n\n\n                   The Monitoring of Privacy Over Taxpayer\n                  Data Is Improving, Although Enhancements\n                   Can Be Made to Ensure Compliance With\n                            Privacy Requirements\n\n\n\n                                      September 22, 2006\n\n                              Reference Number: 2006-20-166\n\n\n\n\n This report has cleared the Treasury Inspector General for Tax Administration disclosure review process\n  and information determined to be restricted from public release has been redacted from this document.\n\n\n\n Phone Number | 202-927-7037\n Email Address | Bonnie.Heald@tigta.treas.gov\n Web Site      | http://www.tigta.gov\n\x0c                                                 DEPARTMENT OF THE TREASURY\n                                                       WASHINGTON, D.C. 20220\n\n\n\n\nTREASURY INSPECTOR GENERAL\n  FOR TAX ADMINISTRATION\n\n\n\n\n                                              September 22, 2006\n\n\n MEMORANDUM FOR CHIEF, MISSION ASSURANCE AND SECURITY SERVICES\n\n FROM:                         Michael R. Phillips\n                               Deputy Inspector General for Audit\n\n SUBJECT:                      Final Audit Report \xe2\x80\x93 The Monitoring of Privacy Over Taxpayer Data Is\n                               Improving, Although Enhancements Can Be Made to Ensure\n                               Compliance With Privacy Requirements (Audit # 200620002)\n\n This report presents the results of our review to determine whether the Office of Privacy and\n Information Protection has effective controls and procedures to ensure Internal Revenue Service\n (IRS) computer systems and employees adhere to privacy regulations. This review was included\n in the Treasury Inspector General for Tax Administration\xe2\x80\x99s Fiscal Year 2006 Annual Audit Plan\n and was part of the Information Systems Programs statutory requirements to annually review the\n adequacy and security of IRS technology.1\n\n Impact on the Taxpayer\n The IRS processes and maintains sensitive taxpayer information in computer systems for over\n 130 million taxpayers. Privacy Impact Assessments (PIA)2 have not been conducted for all\n computer systems, and compliance with privacy laws has not been adequately monitored. As a\n result, the risk is increased that taxpayers\xe2\x80\x99 identities could be stolen and used for unlawful\n purposes.\n\n\n\n 1\n   IRS Restructuring and Reform Act of 1998 (RRA 98), Pub. L. No. 105-206, 112 Stat. 685 (codified as amended in\n scattered sections of 2 U.S.C., 5 U.S.C. app., 16 U.S.C., 19 U.S.C., 22 U.S.C., 23 U.S.C., 26 U.S.C., 31 U.S.C.,\n 38 U.S.C., and 49 U.S.C.).\n 2\n   A PIA is an analysis of how personal information is collected, stored, shared, and managed in a Federal\n Government system. Specifically, a PIA (1) ensures handling conforms to applicable legal, regulatory, and policy\n requirements on privacy; (2) determines the risks and effect of collecting, maintaining, and disseminating personal\n information; and (3) examines and evaluates protection and alternative processes for handling personal data to\n reduce potential privacy risks.\n\x0c                      The Monitoring of Privacy Over Taxpayer Data Is Improving,\n                                Although Enhancements Can Be Made\n                          to Ensure Compliance With Privacy Requirements\n\n\n\nSynopsis\nThe issue of privacy and security over personal information has received much publicity. For\nexample, the Department of Veterans Affairs3 recently reported that personally identifying data\nfor as many as 26 million American veterans were stolen from an employee\xe2\x80\x99s home. This\nincident received significant attention because the loss of personally identifying data can\nrepresent the first step to identity theft. In 2004, the IRS received more than 130 million\nindividual taxpayers\xe2\x80\x99 income tax returns. The personal information contained in these returns is\nconverted into electronic format and used in over\n240 IRS computer systems.                                        The IRS is not complying with\n                                                                       privacy legislation. As a result,\nWithin the past 2 years, the Office of Privacy and         the IRS does not have assurance\nInformation Protection4 has maintained and enhanced          that privacy implications have\nthe IRS\xe2\x80\x99 privacy program by chairing a working group      been considered and evaluated on\nreviewing privacy and disclosure issues and by                all of its computer systems.\ncreating an online privacy training segment on the\nOffice of Privacy and Information Protection web site. Despite these efforts, the IRS is not\ncomplying with legislative privacy requirements. Specifically, the IRS can take further actions\nto ensure PIAs have been conducted for all systems and applications that collect personal\ninformation and enhance its processes to better monitor compliance with privacy policy and\nprocedures.\nThe E-Government Act of 20025 and IRS guidelines require every computer system or project\nthat collects personal information to have a current PIA on file with the Office of Privacy and\nInformation Protection. As of August 2005, we were unable to locate PIAs for 130 (54 percent)\nof the 241 IRS computers systems that collect and process taxpayer or employee data. We\nattribute the missing PIAs to the lack of emphasis on privacy issues and the decision to not\nrequire that all systems be certified and accredited.6\nAlso, the PIA review process was not always consistently conducted, and review results were not\nalways properly documented. At the time the Office of Privacy and Information Protection\n\n3\n  The Department of Veterans Affairs provides patient care, veterans\xe2\x80\x99 benefits, and customer satisfaction for our\nnation\xe2\x80\x99s veterans and their families.\n4\n  The administration of the IRS\xe2\x80\x99 privacy program is the responsibility of the Director, Office of Privacy and\nInformation Protection, who reports to the Chief, Mission Assurance and Security Services. The mission of the\nOffice of Privacy and Information Protection is to ensure IRS policies and programs incorporate taxpayer and\nemployee privacy requirements and the personal information entrusted to the IRS remains protected, secure, and\nprivate.\n5\n  Pub. L. No. 107-347 (2002), sec. 208.\n6\n  Certification and accreditation, as defined and required by the Office of Management and Budget for all Federal\nGovernment automated information systems, is a process to provide assurance that adequate security controls are in\nplace over computer systems.\n                                                                                                                 2\n\x0c                   The Monitoring of Privacy Over Taxpayer Data Is Improving,\n                             Although Enhancements Can Be Made\n                       to Ensure Compliance With Privacy Requirements\n\n\ncompleted the PIAs, there were no PIA review procedures and no core list of source information\nto verify system facts and information. As a result, PIA reviews were not consistently\nperformed. The analysts did not properly document actions pending or taken in a history log and\ncan review the answers provided in the PIA only for consistency.\nIn addition, the Office of Privacy and Information Protection did not conduct any compliance\nreviews on existing PIAs. IRS procedures provide for compliance reviews as a means to validate\nthat information submitted in the PIA truly represents the data being collected in the computer\nsystem or project. These compliance reviews can provide opportunities to update and verify\ninformation stated in the PIAs and ensure business units are complying with privacy policies and\nprocedures.\nBy addressing these areas, the Office of Privacy and Information Protection would better fulfill\nits responsibility to create and maintain privacy awareness and monitor all uses of taxpayer data\nby IRS employees. This will provide the first steps to ensure the security and protection over\ntaxpayer data throughout the agency.\n\nRecommendations\nWe recommended the Chief, Mission Assurance and Security Services, request business owners\nto identify and report all systems or projects that collect personal identifiable information. A\nPIA should be prepared and submitted to the Office of Privacy and Information Protection for\nmonitoring, oversight, and evaluation. The Director, Office of Privacy and Information\nProtection, should establish a centralized repository for all PIAs in a searchable, electronic\nformat and verify the accuracy of the PIA inventory quarterly; initiate a program providing for\nthe routine evaluation of employee training activities relative to current privacy policy\nrequirements and develop a system for the tracking and monitoring of these activities; and\nreinforce the importance of PIA case documentation with specific instructions and implement a\ncompliance review process to assess whether IRS business units are adhering to privacy\nregulations.\n\nResponse\nThe Chief, Mission Assurance and Security Services, agreed with our findings and\nrecommendations. The Office of Privacy and Information Protection will annually cross-walk\n(reconcile) the PIA inventory to existing system inventories and provide information to business\nowners for systems requiring PIAs. The Office of Privacy and Information Protection will also\ndevelop and implement a process to verify the PIA inventory accuracy quarterly and is\ndeveloping an electronic PIA inventory and an electronic document management system for\narchiving electronic PIA artifacts. In addition, the Office of Privacy and Information Protection\nis establishing privacy awareness training via the mandatory IRS Information Protection training\n\n                                                                                                    3\n\x0c                   The Monitoring of Privacy Over Taxpayer Data Is Improving,\n                             Although Enhancements Can Be Made\n                       to Ensure Compliance With Privacy Requirements\n\n\nand will initiate a job-specific training program for privacy. Training will be deployed via the\nIRS Enterprise Learning Management System to ensure accurate monitoring and tracking.\nFinally, the Office of Privacy and Information Protection will establish assessment standards for\nPIAs to ensure consistency and extent of coverage based on system complexity, along with case\ndocumentation and analysis requirements. Management\xe2\x80\x99s complete response to the draft report\nis included as Appendix IV.\nCopies of this report are also being sent to the IRS managers affected by the report\nrecommendations. Please contact me at (202) 622-6510 if you have questions or\nMargaret E. Begg, Assistant Inspector General for Audit (Information Systems Programs), at\n(202) 622-8510.\n\n\n\n\n                                                                                                    4\n\x0c                         The Monitoring of Privacy Over Taxpayer Data Is Improving,\n                                  Although Enhancements Can Be Made\n                             to Ensure Compliance With Privacy Requirements\n\n\n\n\n                                            Table of Contents\n\nBackground ..........................................................................................................Page 1\n\nResults of Review ...............................................................................................Page 3\n          The Office of Privacy and Information Protection Needs to Ensure\n          Required Privacy Impact Assessments Are Conducted and Tracked...........Page 4\n                    Recommendation 1:........................................................Page 7\n\n                    Recommendation 2:........................................................Page 8\n\n          Monitoring of Privacy Compliance Can Be Enhanced.................................Page 8\n                    Recommendations 3 and 4: ..............................................Page 11\n\n\nAppendices\n          Appendix I \xe2\x80\x93 Detailed Objective, Scope, and Methodology ........................Page 13\n          Appendix II \xe2\x80\x93 Major Contributors to This Report ........................................Page 15\n          Appendix III \xe2\x80\x93 Report Distribution List .......................................................Page 16\n          Appendix IV \xe2\x80\x93 Management\xe2\x80\x99s Response to the Draft Report ......................Page 17\n\x0c        The Monitoring of Privacy Over Taxpayer Data Is Improving,\n                 Although Enhancements Can Be Made\n            to Ensure Compliance With Privacy Requirements\n\n\n\n\n                     Abbreviations\n\nFISMA             Federal Information Security Management Act\nIRS               Internal Revenue Service\nPIA               Privacy Impact Assessment\n\x0c                      The Monitoring of Privacy Over Taxpayer Data Is Improving,\n                               Although Enhancements Can Be Made\n                          to Ensure Compliance With Privacy Requirements\n\n\n\n\n                                            Background\n\nWithin the Federal Government, privacy can be defined as a citizen\xe2\x80\x99s expectation that personal\ninformation collected for official Government business will be protected from unauthorized use\nand access. The issue of privacy and security over personal information has received much\npublicity since 2005. For example, in February 2005, the Bank of America reported the loss of\ndata tapes that contained personal information on 1.2 million Federal Government employees.\nMore recently, in May 2006, the Department of Veterans Affairs1 reported that personally\nidentifying data for as many as 26 million American veterans were stolen from an employee\xe2\x80\x99s\nhome. These incidents received significant attention because the loss of personally identifying\ndata can represent the first step to identity theft, which occurs when someone uses personal\ninformation, without permission, to commit fraud or other crimes, such as opening fraudulent\ncredit card accounts and purchasing goods.\nThe Federal Trade Commission2 has reported increased filings of identity theft complaints, and\nthe Privacy Rights Clearinghouse3 estimates that, during 2005, over 50 million people had been\nput at risk as a result of security breaches. The average identity theft victim spends 175 hours\nand $800 resolving identity theft-related issues, and it takes 2 years to 4 years for victims to\nresolve all the resulting problems.\nLike the private sector, the Federal Government                       The mission of the IRS Office of\ncollects enormous amounts of personal information                   Privacy and Information Protection\n                                                                       is to ensure IRS policies and\nfrom private citizens. For example, in 2004 the\n                                                                   programs incorporate taxpayer and\nInternal Revenue Service (IRS) received more than                  employee privacy requirements, and\n130 million individual taxpayers\xe2\x80\x99 income tax returns.               the personal information entrusted\nEach of these tax returns includes the filer\xe2\x80\x99s name,                   to the IRS remains protected,\naddress, Social Security Number, and other personal                         secure, and private.\nfinancial data. This personal information is\n\n\n\n\n1\n  The Department of Veterans Affairs provides patient care, veterans\xe2\x80\x99 benefits, and customer satisfaction for our\nnation\xe2\x80\x99s veterans and their families.\n2\n  The Federal Trade Commission was created in 1914 to prevent unfair methods of competition in commerce and to\npolice anticompetitive practices.\n3\n  The Privacy Rights Clearinghouse is a nonprofit consumer organization established to raise consumer awareness of\nhow technology affects personal privacy, empower consumers to take action to control their own personal\ninformation by providing practical tips on privacy protection, and respond to and document specific privacy-related\ncomplaints from consumers.\n                                                                                                           Page 1\n\x0c                      The Monitoring of Privacy Over Taxpayer Data Is Improving,\n                               Although Enhancements Can Be Made\n                          to Ensure Compliance With Privacy Requirements\n\n\n\nconverted into electronic format and used in over 240 IRS computer systems, such as the\nIntegrated Data Retrieval System.4\nFrom a legislative perspective, the issue of privacy is governed by several laws. The Privacy Act\nof 19745 placed limitations on Federal Government agencies\xe2\x80\x99 collection, disclosure, and use of\npersonal information maintained in computer systems. More recently, the E-Government Act\nof 20026 provided additional protection for personal information by requiring agencies to\nconduct Privacy Impact Assessments (PIA). A PIA is required for every computer system or\nproject that collects personal information and must be maintained by the bureaus and agencies.\nA PIA represents an analysis of how personal information is handled to ensure it conforms to\napplicable legal and regulatory requirements over privacy; determines the risks and effects of\ncollecting, maintaining, and disseminating information in identifiable form; and examines and\nevaluates protections and alternative processes for handling information to reduce potential\nprivacy risks. Systems must be reevaluated every 3 years or when major system modifications7\noccur.\nIn addition, the Consolidated Appropriations Act of 2005, Section 522,8 required each agency to\nhave a Chief Privacy Officer to assume the responsibility for privacy and data protection policy.\nThese legislative requirements provide the need for a strong privacy program within Federal\nGovernment bureaus and agencies.\nThe administration of the IRS privacy program is the responsibility of the Director, Office of\nPrivacy and Information Protection, who reports directly to the Chief, Mission Assurance and\nSecurity Services. The mission of the Office of Privacy and Information Protection is to ensure\nIRS policies and programs incorporate taxpayer and employee privacy requirements and the\npersonal information entrusted to the IRS remains protected, secure, and private.\nThis review was performed at the IRS National Headquarters in Washington, D.C., in the Office\nof Privacy and Information Protection during the period September 2005 through March 2006.\nThe audit was conducted in accordance with Government Auditing Standards. Detailed\ninformation on our audit objective, scope, and methodology is presented in Appendix I. Major\ncontributors to the report are listed in Appendix II.\n\n\n\n\n4\n  This is an IRS computer system capable of retrieving or updating stored information; it works in conjunction with\na taxpayer\xe2\x80\x99s account records.\n5\n  5 U.S.C. \xc2\xa7 552a (a)(5).\n6\n  Pub. L. No. 107-347 (2002), sec. 208.\n7\n  A major modification is any programming or equipment change that affects how the system interfaces with users,\nprocesses data, or generates reports. In addition, these changes may affect the security of the system.\n8\n  Pub. L. No. 108-447, 188 Stat. 2268, 5 U.S.C. 522a note.\n                                                                                                            Page 2\n\x0c                      The Monitoring of Privacy Over Taxpayer Data Is Improving,\n                               Although Enhancements Can Be Made\n                          to Ensure Compliance With Privacy Requirements\n\n\n\n\n                                      Results of Review\n\nBecause of the large amount of personal information it receives and concern over privacy\nimplications of maintaining that information, the IRS established the Privacy Advocate position\nin 1993, becoming the first Federal Government agency to assign privacy to an executive\nofficial. Within the past 2 years, the Office of Privacy and Information Protection has\nmaintained and enhanced the IRS\xe2\x80\x99 privacy program by:\n    \xe2\x80\xa2   Chairing a working group reviewing privacy and disclosure issues to be included in the\n        IRS annual security training, as well as serving as a member of several inter- and\n        intra-agency committees and task groups.\n    \xe2\x80\xa2   Increasing privacy awareness by having the Office of Privacy and Information Protection\n        actively participate in the IRS\xe2\x80\x99 annual Security Awareness week in the National\n        Headquarters Office.\n    \xe2\x80\xa2   Updating and distributing privacy literature to IRS security managers and records officers\n        and to over 70,000 volunteer tax preparers through Volunteer Income Tax Assistance9\n        and Tax Counseling for the Elderly10 Centers.\n    \xe2\x80\xa2   Creating an online privacy training segment on the Office of Privacy and Information\n        Protection web site.\nDespite the Office of Privacy and Information\n                                                         The IRS can take further actions to\nProtection\xe2\x80\x99s efforts to increase privacy awareness       ensure PIAs have been conducted\nand manage its program, the IRS is not complying              for all systems that collect\nwith legislative privacy requirements and, thus, is      personal information and enhance\nnot ensuring the privacy of taxpayer data is being         its processes to better monitor\ntracked and monitored adequately. Specifically, the        compliance    with privacy policy\n                                                                       procedures.\nIRS can take further actions to ensure PIAs have\nbeen conducted for all systems and applications that\ncollect personal information and enhance its processes to better monitor compliance with privacy\n\n9\n  The Volunteer Income Tax Assistance Program offers free tax help for low- to moderate-income (approximately\n$38,000) people who cannot prepare their own tax returns. Volunteers, sponsored by various organizations, receive\ntraining to help prepare basic tax returns in communities across the country. Volunteer Income Tax Assistance sites\nare generally located at community and neighborhood centers, libraries, schools, shopping malls, and other\nconvenient locations. Some locations also offer free electronic filing.\n10\n   The Tax Counseling for the Elderly Program provides free tax help to people age 60 and older. Trained\nvolunteers from nonprofit organizations provide free tax counseling and basic income tax return preparation for\nsenior citizens. Volunteers who provide tax counseling are often retired individuals associated with nonprofit\norganizations that receive grants from the IRS.\n                                                                                                           Page 3\n\x0c                       The Monitoring of Privacy Over Taxpayer Data Is Improving,\n                                Although Enhancements Can Be Made\n                           to Ensure Compliance With Privacy Requirements\n\n\n\npolicy and procedures. These improvements will allow the IRS to better identify and monitor all\nuses of taxpayer data and will provide the first steps to ensure the security and protection over\ntaxpayer data throughout the agency.\n\nThe Office of Privacy and Information Protection Needs to Ensure\nRequired Privacy Impact Assessments Are Conducted and Tracked\n\nComputer systems that collect personal information did not have PIAs\nThe E-Government Act of 2002 and IRS guidelines require every computer system or project\nthat collects personal information to have a current PIA on file with the Office of Privacy and\nInformation Protection. The existence of the PIA provides reasonable assurance that privacy\nimplications have been considered and evaluated in the collection of the data. Systems must be\nreevaluated every 3 years.\nAs of August 2005, the IRS maintained 281 computer systems to assist in tax administration.\nOf these, 241 collected and processed personal information, consisting of either taxpayer or\nemployee data. Based on privacy requirements, each of these 241 systems should have a PIA\ncompleted by system owners and maintained by the Office of Privacy and Information\nProtection. However, we were unable to locate PIAs for 130 (54 percent) of the 241 computer\nsystems.\nThe IRS classifies its computer systems into three categories: general support systems, major\napplications, and nonmajor applications.11 Table 1 presents the number of computer systems in\neach classification that did not have a PIA.\n\n\n\n\n11\n  A general support system is an interconnected set of information resources under the same direct management\ncontrol that shares common functionality. A major application is a computer system that requires special\nmanagement oversight because of the information it contains, processes, or transmits or because of its criticality to\nthe organization\xe2\x80\x99s mission. A nonmajor application is a computer system that does not require special management\noversight because the information it contains, processes, or transmits is less critical to the organization\xe2\x80\x99s mission.\n                                                                                                               Page 4\n\x0c                       The Monitoring of Privacy Over Taxpayer Data Is Improving,\n                                Although Enhancements Can Be Made\n                           to Ensure Compliance With Privacy Requirements\n\n\n\n                     Table 1: Number of Computer Systems Without PIAs\n                           That Collect Taxpayer or Employee Data\n                                       Total            Number of Computer              Number of Computer\n                                     Number of          Systems That Process             Systems Without a\n     System Classification\n                                     Computer           or Collect Personally              Required PIA\n                                      Systems             Identifiable Data                  Statement\n\n     General Support                      29                        29                          21 (72%)\n     Systems\n\n     Major Applications                   53                        53                            5 (9%)\n\n     Nonmajor Applications               199                       159                         104 (65%)\n\n      Totals                             281                       241                         130 (54%)\n\nSource: The Office of Privacy and Information Protection\xe2\x80\x99s inventory lists and our report entitled Treasury\nInspector General for Tax Administration - Federal Information Security Management Act Report for Fiscal\nYear 2005 (Reference Number 2006-20-071, dated October 2005).\n\nWe attribute the missing PIAs to the lack of emphasis on privacy issues and the decision to not\nrequire that all systems be certified and accredited,12 which included the submission of PIAs as\npart of the certification process.\n       \xe2\x80\xa2   We believe the IRS did not maintain an emphasis on the importance of privacy prior to\n           the arrival of the current Director, Office of Privacy and Information Protection, in\n           April 2005. The Office of Privacy and Information Protection has had three different\n           Directors and several acting officials since 2003 and has encountered several\n           organizational changes; the latest was in 2005 when it moved from directly reporting to\n           the Deputy Commissioner for Operations Support to the Chief, Mission Assurance and\n           Security Services. This lack of a permanent Director and organizational shuffling has not\n           provided leadership continuity and organizational stability to the Office of Privacy and\n           Information Protection and, as a result, has not allowed the importance of privacy to\n           remain in the forefront within the IRS. In addition, the current Office of Privacy and\n           Information Protection is authorized only 10 Full-Time Equivalent13 employee positions,\n\n12\n   Certification is the comprehensive evaluation of the technical and nontechnical security controls and the\nidentification of any weaknesses with those controls or lack thereof. Accreditation is an authorization granted by a\nmanagement official to operate the system based on the evaluation of the security controls. It is a statement that the\nmanagement official (i.e., the accrediting official) is aware of, understands, and accepts responsibility for the risks\nassociated with placing the system into operation. Certification and accreditation, as defined and required by the\nOffice of Management and Budget for all Federal Government automated information systems, is a process to\nprovide assurance that adequate security controls are in place over computer systems.\n13\n   A Full-Time Equivalent is a measure of labor hours in which 1 Full-Time Equivalent is equal to 8 hours\nmultiplied by the number of compensable days in a particular fiscal year.\n                                                                                                               Page 5\n\x0c                      The Monitoring of Privacy Over Taxpayer Data Is Improving,\n                               Although Enhancements Can Be Made\n                          to Ensure Compliance With Privacy Requirements\n\n\n\n         which consist of 1 Director, 1 Deputy Director (currently vacant), 1 staff assistant, and\n         7 staff analysts (1 currently vacant), to implement its mission and oversee privacy within\n         the IRS, an organization of over 100,000 employees.\n     \xe2\x80\xa2   In 2005, the Office of Mission Assurance and Security Services assigned all of its\n         nonmajor applications to 1 of the 29 general support systems. The rationale for this\n         classification was that the general support systems would provide the majority of the\n         security controls for the nonmajor applications. As such, the IRS placed less emphasis on\n         documenting security and privacy requirements for the nonmajor applications, which\n         included the completion of certification and accreditation. The certification process\n         includes the submission of PIAs. This decision appears to explain why we were unable\n         to locate PIAs for 65 percent of the nonmajor applications.14\nThe Office of Privacy and Information Protection, as part of its own poststudy review of the\nFederal Information Security Management Act (FISMA)15 reporting process, found that\n\xe2\x80\x9cmapping the Office of Privacy and Information Protection inventory to the Fiscal Year 2005\nFISMA inventory was difficult due to the inability to clearly identify the subcomponents of the\ngeneral support systems and major applications.\xe2\x80\x9d The Office of Privacy and Information\nProtection has acknowledged the lack of PIAs as a weakness and has taken proactive steps to\nincrease privacy awareness, such as conducting awareness presentations to IRS business unit\nexecutives and in the IRS\xe2\x80\x99 annual Security Awareness week in the National Headquarters Office\non the risks and requirements of privacy for computer systems maintaining personal identifiable\ninformation.\nWe believe it is critical that the IRS complete PIAs for all computer systems or projects in which\npersonal information is collected, processed, used, and/or stored. When PIAs are not prepared\nand properly maintained, the IRS is unaware of all instances in which the collection of data is\noccurring, and the IRS could be violating privacy regulations and unnecessarily exposing\nsensitive data to theft or misuse. As such, public trust could be lost when privacy risks are not\nidentified and privacy protections are not adhered to.\n\nAn effective management information system to track PIAs does not exist\nThe Office of Privacy and Information Protection recognizes that sound business practice\nrequires a functional and useful centralized management information system to track and monitor\nits PIAs. The Office of Privacy and Information Protection is currently using a system\n\n\n\n14\n   The IRS has recently changed this requirement and decided to require certification and accreditation for all\nsystems, regardless of classification, for Fiscal Year 2006.\n15\n   The FISMA is part of the E Government Act of 2002, Pub. L. No. 107-347, Title III, Section 301 (2002). The\nFISMA includes protecting information and information systems from unauthorized access, use, disclosure, or\nmodification, including controls for disclosure and confidentiality to protect personal privacy.\n                                                                                                           Page 6\n\x0c                      The Monitoring of Privacy Over Taxpayer Data Is Improving,\n                               Although Enhancements Can Be Made\n                          to Ensure Compliance With Privacy Requirements\n\n\n\ndeveloped by the Office of Disclosure.16 This system contains pre-set data fields and cannot be\ncustomized to add more useful information, so it is mainly used to assign and generate PIA\ncontrol numbers. Because of this limitation, the Office of Privacy and Information Protection\ncreated two additional inventory systems to capture specific information for different uses. One\nsystem is used to calculate the number of days the PIA is open and when a recertification is due,\nand the second system is a working file for the analysts. Inefficiencies exist when the staff need\nto query two inventory lists to obtain basic information, such as the system name and associated\nPIA control number. Also, maintaining multiple inventory lists creates data inaccuracies, such as\ndetermining when a recertification of a system\xe2\x80\x99s PIA is due. For example, we identified the\nfollowing discrepancies among the several PIA lists:\n     \xe2\x80\xa2   There were 91 computer systems listed as recertified that had different PIA completion\n         dates on each of the 3 lists.\n     \xe2\x80\xa2   There were 20 computer systems listed as either \xe2\x80\x9cRetire\xe2\x80\x9d or \xe2\x80\x9cDead\xe2\x80\x9d17 on 1 list but shown\n         as recertified on another list.\nThe Office of Privacy and Information Protection has also identified its management information\nsystem as a weakness in its poststudy review of the FISMA reporting process. As a result, the\nOffice of Privacy and Information Protection is developing an electronic, menu-driven, and more\nuser-friendly version of the PIA and has plans to incorporate and implement the new PIA in a\nnew management information system scheduled to be completed by the end of Fiscal Year 2006.\n\nRecommendations\nRecommendation 1: The Chief, Mission Assurance and Security Services, should request\nIRS business owners to identify and report all systems or projects that collect personal\nidentifiable information. A PIA should be prepared and submitted to the Office of Privacy and\nInformation Protection for monitoring, oversight, and evaluation.\n         Management\xe2\x80\x99s Response: IRS management agreed with this recommendation. The\n         Office of Privacy and Information Protection will annually cross-walk (reconcile) the\n         PIA inventory to existing system inventories and provide information to business owners\n         for systems requiring PIAs. The Office of Privacy and Information Protection will also\n         conduct a study to identify PIA process improvements to ensure limited resources are\n         focused on systems that collect personal identifiable information and will establish\n         policy, based on the study, for systems that require a PIA.\n\n\n16\n   The Office of Disclosure reports to the Director, Communications, Liaison, and Disclosure, within the Small\nBusiness/Self-Employed Division. The Office of Privacy and Information Protection reported to the Office of\nDisclosure from 2000 until 2003.\n17\n   Retired and dead computer systems are those no longer in use and no longer processing data for tax\nadministration.\n                                                                                                           Page 7\n\x0c                   The Monitoring of Privacy Over Taxpayer Data Is Improving,\n                            Although Enhancements Can Be Made\n                       to Ensure Compliance With Privacy Requirements\n\n\n\nRecommendation 2: The Director, Office of Privacy and Information Protection, should\nestablish a centralized repository for all PIAs in a searchable, electronic format. The process\nshould be developed to verify the accuracy of the PIA inventory quarterly. The Office of\nPrivacy and Information Protection should also develop an electronic document management\nsystem for archiving electronic PIA artifacts.\n       Management\xe2\x80\x99s Response: IRS management agreed with this recommendation. The\n       Office of Privacy and Information Protection will develop and implement a process to\n       verify the PIA inventory accuracy quarterly. The Office of Privacy and Information\n       Protection is also developing an electronic PIA inventory and an electronic document\n       management system for archiving electronic PIA artifacts.\n\nMonitoring of Privacy Compliance Can Be Enhanced\nThe Office of Privacy and Information Protection\xe2\x80\x99s role in the organization is to ensure the IRS\nis complying with privacy requirements. The E-Government Act established that the primary\ncontrol over privacy compliance for the Federal Government is the use of PIAs. While the main\ngoal should be to have complete and accurate PIAs for all instances in which the IRS is\ncollecting and using sensitive data (i.e., taxpayer or employee data), equally important are the\nprocesses to ensure PIAs are being properly and accurately completed. Compliance with privacy\nrequirements can be segmented into three key activities:\n   1. Providing awareness training to IRS employees on the privacy of taxpayer data\n      requirements and on the completion of PIAs for all instances in which sensitive data are\n      being collected.\n   2. Conducting initial reviews of submitted PIAs for completeness, accuracy, and\n      consistency with IRS requirements.\n   3. Conducting compliance reviews of existing PIAs to validate adherences to information\n      submitted in the PIAs.\nWe assessed the Office of Privacy and Information Protection\xe2\x80\x99s efforts in these three areas and\ndetermined it did not have a formal privacy training program, initial reviews of PIAs could be\nenhanced and better documented, and compliance reviews of PIAs were not conducted. By\naddressing these areas, the Office of Privacy and Information Protection would better fulfill its\nresponsibility to create and maintain privacy awareness among IRS employees and monitor\ncompliance with privacy requirements for the IRS as a whole.\n\nThe Office of Privacy and Information Protection does not have a formal training\nprogram\nIn an effort to help identify systems collecting personal information and increase awareness and\ncompliance with privacy requirements, the Office of Privacy and Information Protection\n\n                                                                                            Page 8\n\x0c                      The Monitoring of Privacy Over Taxpayer Data Is Improving,\n                               Although Enhancements Can Be Made\n                          to Ensure Compliance With Privacy Requirements\n\n\n\nconducts ad hoc training and awareness presentations whenever the opportunity arises. For\nexample, the Director, Office of Privacy and Information Protection, and senior staff are\nmembers of task forces, committees, and professional organizations and have provided privacy\nexpertise and privacy-related presentations at various meetings. This includes proactively giving\nawareness presentations to IRS business unit executives on the risks and requirements of privacy\nfor computer systems maintaining personal identifiable information and collaborating with other\nIRS business units and the Department of the Treasury on proposed revisions to tax laws and\nimplementation of a Department-wide PIA initiative. The Office of Privacy and Information\nProtection also developed an online, self-study privacy awareness segment that is available to all\nIRS employees. However, the Office of Privacy and Information Protection does not have a\nregular awareness training schedule or specific role-based privacy training, nor does it mandate\nthe completion of its online, self-study privacy awareness training by all employees.\nIn addition, the Office of Privacy and Information Protection does not have a formal\nmanagement information system to track training delivered to IRS employees. The Office of\nPrivacy and Information Protection was unable to provide such basic information as the number\nof IRS employees and contractors who attended privacy-related training courses and awareness\npresentations, training costs expended, or staff days applied toward training. Due to our review,\nthe Office of Privacy and Information Protection recently requested IRS employees who have\ncompleted the online, self-study privacy awareness training on the Office of Privacy and\nInformation Protection\xe2\x80\x99s web site to send copies of their certificates of completion for tracking\nand documentation purposes. The Office of Privacy and Information Protection stated that, due\nto limited resources and staffing, a management information system to track privacy will be a\nlong-range goal. The Director, Office of Privacy and Information Protection, is also working to\ndevelop a computer-based module to be included as part of the mandatory computer security and\nUnauthorized Access training.18\nWithout a formal training program and an effective tracking system, the Office of Privacy and\nInformation Protection cannot be assured it is meeting its mission to inform, educate, and make\nall IRS employees aware of important privacy issues, policies, and requirements.\n\nThe PIA review process needs to be improved, and review documentation\nrequirements need to be strengthened\nOur analysis of a sample of 20 PIAs determined the PIA review process was not always\nconsistently conducted and review results were not always properly documented. The 20 PIAs\nwere conducted from November 2002 to September 2005. Specifically:\n\n\n\n\n18\n  Unauthorized Access training is an annual requirement for all IRS employees as a result of the Taxpayer\nBrowsing Act of 1997, 26 U.S.C.A. \xc2\xa7\xc2\xa7 7213, 7213A, 7431 (West Supp. 2003).\n                                                                                                            Page 9\n\x0c                     The Monitoring of Privacy Over Taxpayer Data Is Improving,\n                              Although Enhancements Can Be Made\n                         to Ensure Compliance With Privacy Requirements\n\n\n\n     \xe2\x80\xa2   Nine of the 20 PIAs were cursory and the information provided was taken at face value,\n         especially for current production environment systems19 for which supporting information\n         may not be available or does not exist.\n     \xe2\x80\xa2   Eleven of the 20 PIAs were lacking case history information and supporting\n         documentation for statements made in the PIA, which, at a minimum, should be included\n         in the case file. Most case files had comments or concerns made on the initial version of\n         the PIA, but there were no indications as to the response or resolution of the comments or\n         concerns. Generally, there was no case history information, which, if available, could be\n         used by the Office of Privacy and Information Protection to better manage the privacy\n         program through internal reviews and to determine whether further actions are needed or\n         reasons for delays.\n     \xe2\x80\xa2   Six of the 20 PIAs were to recertify an existing system. A simple, one-page form was\n         used to recertify a PIA, but there was no supporting documentation or history log to\n         indicate whether an indepth analysis was conducted to support the recertification or to\n         verify the system had no \xe2\x80\x9csignificant changes\xe2\x80\x9d subsequent to when the original PIA was\n         prepared.\nAt the time the Office of Privacy and Information Protection completed the PIAs, there were no\nPIA review procedures, nor was there an available core list of source information to verify\nsystem facts and information. As a result, PIA reviews were not consistently performed. The\nanalysts did not properly document actions pending or taken in a history log and can review the\nanswers provided in the PIA only for consistency.\nThis issue was also reported by the Government Accountability Office.20 The report cited the\nlack of a comprehensive assessment over an IRS system selected for review by not analyzing\nhow the agency reached its decision in its response to a PIA question. The report stated that the\nIRS did not fully address these steps because it used a prior version of the guidance issued by the\nOffice of Management and Budget.\nContinued implementation of PIA review procedures would allow the Office of Privacy and\nInformation Protection to (1) maintain a consistent quality of work and protect the IRS from\nviolations of privacy regulations and statutes by identifying risks in the system and (2) limit\ninformation collection.\n\n\n\n\n19\n  These are computer systems currently in use and processing data for tax administration.\n20\n  Data Mining, Agencies Have Taken Key Steps to Protect Privacy in Selected Efforts, but Significant Compliance\nIssues Remain (GAO 05-866, dated August 2005).\n                                                                                                       Page 10\n\x0c                  The Monitoring of Privacy Over Taxpayer Data Is Improving,\n                           Although Enhancements Can Be Made\n                      to Ensure Compliance With Privacy Requirements\n\n\n\nThe Office of Privacy and Information Protection did not conduct compliance\nreviews\nBased on discussions with Office of Privacy and Information Protection personnel, we\ndetermined the Office of Privacy and Information Protection did not conduct any compliance\nreviews on existing PIAs. IRS procedures provide for compliance reviews as a means to validate\nthat information submitted in a PIA truly represents the data being collected in the computer\nsystem or project. These compliance reviews can provide opportunities to update and verify\ninformation stated in the PIAs and ensure business units are complying with privacy policies and\nprocedures. Compliance reviews also allow the Office of Privacy and Information Protection to\nhave visibility within the IRS and to spread the importance of privacy throughout the agency.\nThe Office of Privacy and Information Protection recognizes the lack of compliance reviews as a\ndeficiency, and the Director hopes to redirect limited resources and staffing in the Fiscal\nYear 2006 Business Plan to address and implement this plan of action. As mentioned above,\nimplementation of these procedures would allow the Office of Privacy and Information\nProtection to maintain a consistent quality of work and better manage the privacy program.\n\nRecommendations\nRecommendation 3: To monitor employee privacy awareness training, the Director, Office\nof Privacy and Information Protection, should initiate a program providing for the routine\nevaluation of employee training activities relative to current privacy policy requirements and\ndevelop a system for the tracking and monitoring of these activities.\n       Management\xe2\x80\x99s Response: IRS management agreed with this recommendation. The\n       Office of Privacy and Information Protection is establishing privacy awareness training\n       via the mandatory IRS Information Protection training. Also, the Office of Privacy and\n       Information Protection will conduct an assessment of roles for which training must be\n       given and initiate a job-specific training program for privacy. In addition, training\n       modules on IRS privacy products, such as the PIA, will be developed. Training will be\n       deployed via the IRS Enterprise Learning Management System to ensure accurate\n       monitoring and tracking. To supplement the training, the Office of Privacy and\n       Information Protection will develop and deploy an assessment methodology to survey\n       IRS employees annually of their knowledge of privacy policy requirements, which will\n       provide feedback on employee awareness and training needs.\nRecommendation 4: The Director, Office of Privacy and Information Protection, should\nreinforce the importance of PIA case documentation with specific instructions or case models\nand implement a compliance review process to assess whether IRS business units are adhering to\nprivacy regulations, given the limited resources and staff knowledge in conducting these reviews.\n\n\n\n                                                                                         Page 11\n\x0c           The Monitoring of Privacy Over Taxpayer Data Is Improving,\n                    Although Enhancements Can Be Made\n               to Ensure Compliance With Privacy Requirements\n\n\n\nManagement\xe2\x80\x99s Response: IRS management agreed with this recommendation. The\nOffice of Privacy and Information Protection will establish assessment standards for PIAs\nto ensure consistency and extent of coverage based on system complexity, along with\ncase documentation and analysis requirements. For the short term, the Office of Privacy\nand Information Protection will investigate tools, conduct a pilot of selected tools, assess\nresults, and implement interim measures to establish and implement compliance review\nguidelines and a process to ensure adherence to privacy regulations. For the long term,\nthe Office of Privacy and Information Protection will build on knowledge obtained in the\nshort term and implement comprehensive measures to establish and implement\ncompliance review guidelines and processes.\n\n\n\n\n                                                                                    Page 12\n\x0c                      The Monitoring of Privacy Over Taxpayer Data Is Improving,\n                               Although Enhancements Can Be Made\n                          to Ensure Compliance With Privacy Requirements\n\n\n\n                                                                                                   Appendix I\n\n          Detailed Objective, Scope, and Methodology\n\nThe overall objective of this review was to determine whether the Office of Privacy and\nInformation Protection1 has effective controls and procedures to ensure IRS computer systems\nand employees adhere to privacy regulations. To accomplish this objective, we:\nI.       Determined whether Office of Privacy and Information Protection controls and\n         procedures were in place to ensure adherence to privacy regulations.\n         A. Determined whether a management information system was in place to track PIAs,2\n            evaluated the type of data captured by the system, and obtained a list of all PIAs\n            conducted to determine whether all systems in the IRS had a description of the\n            information being maintained from a privacy perspective.\n         B. Selected and reviewed a representative judgmental sample of 20 of the 241 IRS\n            systems that collect and process either taxpayer or employee personal information.\n            We validated selected information from the PIAs to determine whether responses\n            were accurate and adequately supported by documentation. We used a judgmental\n            sample because we did not plan to project our results to the population and had\n            received agreement to our conclusions after we completed our review of the 20 PIAs.\n         C. Obtained a list of privacy training classes and awareness presentations conducted\n            since October 2003, determined whether a management information system was in\n            place to track training sessions, and evaluated the type of data captured.\n         D. Evaluated the Fiscal Year 2005 and 2006 Business Plans for the Office of Privacy and\n            Information Protection to determine whether plans and goals were included to\n            promote employee and contractor privacy responsibilities, promote the mission and\n            activities of the Office of Privacy and Information Protection, and make all\n            employees and contractors aware of relevant privacy laws and policies.\n\n1\n  The administration of the IRS\xe2\x80\x99 privacy program is the responsibility of the Director, Office of Privacy and\nInformation Protection, who reports to the Chief, Mission Assurance and Security Services. The mission of the\nOffice of Privacy and Information Protection is to ensure IRS policies and programs incorporate taxpayer and\nemployee privacy requirements and the personal information entrusted to the IRS remains protected, secure, and\nprivate.\n2\n  A PIA is an analysis of how personal information is collected, stored, shared, and managed in a Federal\nGovernment system. Specifically, a PIA (1) ensures handling conforms to applicable legal, regulatory, and policy\nrequirements on privacy; (2) determines the risks and effect of collecting, maintaining, and disseminating personal\ninformation; and (3) examines and evaluates protection and alternative processes for handling personal data to\nreduce potential privacy risks.\n                                                                                                           Page 13\n\x0c                        The Monitoring of Privacy Over Taxpayer Data Is Improving,\n                                 Although Enhancements Can Be Made\n                            to Ensure Compliance With Privacy Requirements\n\n\n\n           E. Ascertained whether the Office of Privacy and Information Protection conducts\n              compliance or \xe2\x80\x9csafeguard\xe2\x80\x9d reviews.\n           F. For the PIAs sampled in Step I.B, interviewed the business owner, program manager,\n              and system administrator of the computer system to determine whether they had\n              attended a privacy training class or awareness presentation within the past 2 calendar\n              years; completed the online privacy training session available on the Office of\n              Privacy and Information Protection web site; and coordinated adequately with the\n              Office of Privacy and Information Protection, Office of Disclosure, and Office of\n              Security.\n           G. Obtained from the Treasury Inspector General for Tax Administration Office of\n              Investigations and the IRS Office of Disclosure a list of all instances of unauthorized\n              and inadvertent disclosure of sensitive information. We evaluated whether a\n              management information system was in place to track unauthorized disclosures and\n              the type of data captured by the system.\nII.        Determined whether all programs (systems and research projects) collecting personally\n           identifiable data had PIAs.\n           A. Met with Office of Privacy and Information Protection staff to determine their\n              interpretation of the Consolidated Appropriation Act,3 as it applies to \xe2\x80\x9cprograms\n              collecting personally identifiable data.\xe2\x80\x9d\n           B. Obtained and reviewed the IRS inventory of computer systems included in our report\n              entitled Treasury Inspector General for Tax Administration - Federal Information\n              Security Management Act Report for Fiscal Year 2005 (Reference Number\n              2006-20-071, dated October 2005) to identify systems that meet the definition of a\n              \xe2\x80\x9cprogram collecting personally identifiable data\xe2\x80\x9d but did not have PIAs.\n           C. Obtained the Office of Privacy and Information Protection documentation supporting\n              its responses to Section D (Reporting Template for Senior Agency Officials for\n              Privacy) of the FISMA Reporting for Fiscal Year 2005 and reviewed the\n              documentation to validate the accuracy of its \xe2\x80\x9ccross-walk\xe2\x80\x9d (reconciliation) of PIAs to\n              the IRS inventory of computer systems.\n           D. Met with Office of Privacy and Information Protection personnel to discuss whether\n              research projects meet the definition of \xe2\x80\x9cprograms collecting personally identifiable\n              data\xe2\x80\x9d that would require a PIA, particularly those conducted by the Office of\n              Research or the Office of Statistics of Income.\n\n\n\n\n3\n    Pub. L. No. 108-447, 188 Stat. 2268, 5 U.S.C. 522a note.\n                                                                                              Page 14\n\x0c                  The Monitoring of Privacy Over Taxpayer Data Is Improving,\n                           Although Enhancements Can Be Made\n                      to Ensure Compliance With Privacy Requirements\n\n\n\n                                                                              Appendix II\n\n                 Major Contributors to This Report\n\nMargaret E. Begg, Assistant Inspector General for Audit (Information Systems Programs)\nKent Sagara, Acting Director\nJoseph Cooney, Acting Audit Manager\nLouis Lee, Senior Auditor\nAbraham Millado, Senior Auditor\nJackie Nguyen, Senior Auditor\n\n\n\n\n                                                                                     Page 15\n\x0c                 The Monitoring of Privacy Over Taxpayer Data Is Improving,\n                          Although Enhancements Can Be Made\n                     to Ensure Compliance With Privacy Requirements\n\n\n\n                                                                            Appendix III\n\n                         Report Distribution List\n\nCommissioner C\nOffice of the Commissioner \xe2\x80\x93 Attn: Chief of Staff C\nDeputy Commissioner for Operations Support OS\nDeputy Commissioner for Services and Enforcement SE\nCommissioner, Small Business/Self-Employed Division SE:S\nActing Chief Information Officer OS:CIO\nDirector, Communications, Liaison, and Disclosure, Small Business/Self-Employed Division\nSE:S:CLD\nDirector, Office of Privacy and Information Protection OS:MA:OPIP\nDirector, Governmental Liaison and Disclosure, Small Business/Self-Employed Division\nSE:S:CLD:GLD\nChief Counsel CC\nNational Taxpayer Advocate TA\nDirector, Office of Legislative Affairs CL:LA\nDirector, Office of Program Evaluation and Risk Analysis RAS:O\nOffice of Internal Control OS:CFO:CPIC:IC\nAudit Liaisons:\n       Commissioner, Small Business/Self-Employed Division SE:S\n       Acting Chief Information Officer: OS:CIO\n       Chief, Mission Assurance and Security Services: OS:MA\n\n\n\n\n                                                                                    Page 16\n\x0c     The Monitoring of Privacy Over Taxpayer Data Is Improving,\n              Although Enhancements Can Be Made\n         to Ensure Compliance With Privacy Requirements\n\n\n\n                                                    Appendix IV\n\nManagement\xe2\x80\x99s Response to the Draft Report\n\n\n\n\n                                                           Page 17\n\x0cThe Monitoring of Privacy Over Taxpayer Data Is Improving,\n         Although Enhancements Can Be Made\n    to Ensure Compliance With Privacy Requirements\n\n\n\n\n                                                      Page 18\n\x0cThe Monitoring of Privacy Over Taxpayer Data Is Improving,\n         Although Enhancements Can Be Made\n    to Ensure Compliance With Privacy Requirements\n\n\n\n\n                                                      Page 19\n\x0cThe Monitoring of Privacy Over Taxpayer Data Is Improving,\n         Although Enhancements Can Be Made\n    to Ensure Compliance With Privacy Requirements\n\n\n\n\n                                                      Page 20\n\x0cThe Monitoring of Privacy Over Taxpayer Data Is Improving,\n         Although Enhancements Can Be Made\n    to Ensure Compliance With Privacy Requirements\n\n\n\n\n                                                      Page 21\n\x0cThe Monitoring of Privacy Over Taxpayer Data Is Improving,\n         Although Enhancements Can Be Made\n    to Ensure Compliance With Privacy Requirements\n\n\n\n\n                                                      Page 22\n\x0cThe Monitoring of Privacy Over Taxpayer Data Is Improving,\n         Although Enhancements Can Be Made\n    to Ensure Compliance With Privacy Requirements\n\n\n\n\n                                                      Page 23\n\x0cThe Monitoring of Privacy Over Taxpayer Data Is Improving,\n         Although Enhancements Can Be Made\n    to Ensure Compliance With Privacy Requirements\n\n\n\n\n                                                      Page 24\n\x0cThe Monitoring of Privacy Over Taxpayer Data Is Improving,\n         Although Enhancements Can Be Made\n    to Ensure Compliance With Privacy Requirements\n\n\n\n\n                                                      Page 25\n\x0c'